Databricks Community

AlbertWang · ‎11-20-2024

Hi all,

I created an Azure Databricks Workspace, and the workspace creates an Azure Databricks managed storage account.

The networking configuration of the storage account is "Enabled from all networks".

Shall I change it to "Enabled from selected virtual networks and IP addresses" for better security?

I clicked the checkbox "Enabled from selected virtual networks and IP addresses" and there are 10 virtual networks appear in the section "Virtual networks" section. The "Endpoint Status" all show "Insufficient permissions".

Is that OK to:

Change the networking configuration to "Enabled from selected virtual networks and IP addresses"
Disable the "Allow storage account key access".
Enable the "Default to Microsoft Entra authorization in the Azure portal"

Thank you.

Regards,

Albert

Walter_C · ‎11-20-2024

Changing the networking configuration of your Azure Databricks managed storage account to "Enabled from selected virtual networks and IP addresses" is a good step for enhancing security. However, the "Insufficient permissions" status you are seeing for the virtual networks indicates that you do not have the necessary permissions to view or modify the network rules for those subnets. This does not necessarily mean that the configuration will not work, but it does mean you need to ensure that the appropriate permissions are granted.

Here are the steps you should follow:

Change the Networking Configuration:
- It is indeed advisable to change the networking configuration to "Enabled from selected virtual networks and IP addresses" for better security.
Permissions:
- Ensure you have the necessary permissions to manage network rules for the virtual networks. You might need to work with your Azure administrator to get these permissions.
Disable Storage Account Key Access:
- Disabling "Allow storage account key access" is a good practice as it enhances security by ensuring that access to the storage account is managed through Azure Active Directory (AAD) rather than storage account keys.
Enable Microsoft Entra Authorization:
- Enabling "Default to Microsoft Entra authorization in the Azure portal" is also recommended as it ensures that access to the storage account is managed through AAD, providing better security and manageability.

AlbertWang · ‎11-20-2024

Thank you, @Walter_C.

The 10 networks, I believe, are Azure Databricks networks in this region. Therefore, I do not have the necessary permissions to view or modify the network rules for those subnets. Do I need the permissions to view or modify them? I guess not because this Storage Account is only used by Azure Databricks, but would want to confirm.

I know disabling "Allow storage account key access" is a good practice. However, I don't know how Databricks accesses this Storage Account. If Databricks access via storage account key, then disabling it will cause issue.

The same for Enabling "Default to Microsoft Entra authorization in the Azure portal".

This storage account is not mine storage account for my computes to access, so I don't know how Databrickss use them.

Walter_C · ‎11-21-2024

You dont need view on the subnets itself.

In regards the Disabling key access you could use any of the other authentication methods listed here: https://learn.microsoft.com/en-us/azure/databricks/connect/storage/azure-storage#connect-to-azure-da...

Databricks Community

Networking configuration of Azure Databricks managed storage account

Connect with Databricks Users in Your Area

Securely share data, analytics and AI

Data Intelligence for Data Engineers

Databricks Learning Festival (Virtual): 15 January - 31 January 2025